[arch-general] SystemD: Is there a way to disable PrivateTmp globally?
Hi, Is there a way to disable Private Tmp globally? I know I can disable it by copying all the affected unit files to /etc/systemd and removing it there but is there a way to disable it once and for all? The reasons I want to disable it are: - I don't need it: this is a single user machine that sits behind a firewall and doesn't run any publicly available servers, so the security issues that private tmp solves are not important for this machine; - I want to know where the files are, and I especially do not want them in a tmpfs. According to the docs I was able to find, private tmp is implemented using "kernel namespace" but that tells me nothing about where the data is stored; - I want to be able to access those files for debugging purposes. For example, I have some custom Apache modules that dump debug information to files in /tmp and I need to be able to access them. However, I haven't found any way to access the private tmp of a service, even as root. Thanks, Jerome -- mailto:jeberger@free.fr http://jeberger.free.fr Jabber: jeberger@jabber.fr
On Thu, Nov 1, 2012 at 5:40 PM, "Jérôme M. Berger" <jeberger@free.fr> wrote:
Hi,
Is there a way to disable Private Tmp globally? I know I can disable it by copying all the affected unit files to /etc/systemd and removing it there but is there a way to disable it once and for all?
The reasons I want to disable it are: - I don't need it: this is a single user machine that sits behind a firewall and doesn't run any publicly available servers, so the security issues that private tmp solves are not important for this machine; - I want to know where the files are, and I especially do not want them in a tmpfs. According to the docs I was able to find, private tmp is implemented using "kernel namespace" but that tells me nothing about where the data is stored; - I want to be able to access those files for debugging purposes. For example, I have some custom Apache modules that dump debug information to files in /tmp and I need to be able to access them. However, I haven't found any way to access the private tmp of a service, even as root.
Thanks, Jerome -- mailto:jeberger@free.fr http://jeberger.free.fr Jabber: jeberger@jabber.fr
The files are in subdirectories. /tmp/systemd-private-XXXXXX is bound to /tmp, /var/tmp/systemd-private-XXXXXX is bound to /var/tmp.
On Thu, Nov 1, 2012 at 7:11 PM, Jan Steffens <jan.steffens@gmail.com> wrote:
The files are in subdirectories. /tmp/systemd-private-XXXXXX is bound to /tmp, /var/tmp/systemd-private-XXXXXX is bound to /var/tmp.
Also you can get which directories are used by which process with the following command: $ sudo grep systemd-private /proc/*/mountinfo I don't know if there is a proper tool to do that, though. -- Rodrigo
On Fri, Nov 02, 2012 at 10:48:53AM +0100, Rodrigo Rivas wrote:
On Thu, Nov 1, 2012 at 7:11 PM, Jan Steffens <jan.steffens@gmail.com> wrote:
The files are in subdirectories. /tmp/systemd-private-XXXXXX is bound to /tmp, /var/tmp/systemd-private-XXXXXX is bound to /var/tmp.
Also you can get which directories are used by which process with the following command:
$ sudo grep systemd-private /proc/*/mountinfo
I don't know if there is a proper tool to do that, though.
-- Rodrigo
Find the pid of the process, and findmnt can show you a pretty layout of the mount namespace: findmnt -N <pid>
Dave Reisner wrote:
On Fri, Nov 02, 2012 at 10:48:53AM +0100, Rodrigo Rivas wrote:
On Thu, Nov 1, 2012 at 7:11 PM, Jan Steffens <jan.steffens@gmail.com> wrote:
The files are in subdirectories. /tmp/systemd-private-XXXXXX is bound to /tmp, /var/tmp/systemd-private-XXXXXX is bound to /var/tmp.
Also you can get which directories are used by which process with the following command:
$ sudo grep systemd-private /proc/*/mountinfo
I don't know if there is a proper tool to do that, though.
-- Rodrigo
Find the pid of the process, and findmnt can show you a pretty layout of the mount namespace:
findmnt -N <pid>
Thanks a lot Jan, Rodrigo and Dave. That takes care of the main reasons why I didn't want private tmp. Jerome -- mailto:jeberger@free.fr http://jeberger.free.fr Jabber: jeberger@jabber.fr
participants (4)
-
"Jérôme M. Berger"
-
Dave Reisner
-
Jan Steffens
-
Rodrigo Rivas